On Fri, Mar 25, 2011 at 4:33 PM, Andreas K. Huettel wrote: >> and no where do we require you to generate a gpg key bound to the >> Gentoo e-mail address. we require you to provide a gpg key only. >> like you said *right here*, we have 0 information to identify you, and >> using a Gentoo e-mail address adds *nothing* to that. so why add a >> completely useless requirement ? > > Because, pointing out the obvious, the key can contain all sorts of random > true or false information. I could have an user id saying "Barack Obama > <presid...@whitehouse.gov>". > > To be able to do key validation based on gpg's mechanisms, an userid needs to > be signed. As e.g. Scarabeus and Wired can confirm, I'm definitely not Barack > Obama, but for less obvious cases the validity of the provided identity may > be unclear. > > Now, if I add an userid "<dilfri...@gentoo.org>" to my key, this userid does > not contain any information that is not already verified and "in the Gentoo > infra data". So, this one userid could be signed immediately by a central > instance without any further fuss.
first off, fix your e-mail client. this long line crap is ridiculous. second, anyone can add/remove e-mail addresses. we arent verifying e-mail addresses, we're verifying keys. the *only* thing that matters is that the key we have on file (0xabcd) is the one that was used to sign. > It's imho not a hard requirement, but it considerably eases administration. > So why not require it for devs? it makes 0 difference to administration -mike
